More Web Proxy on the site http://driver.im/

research-article

Open access

Automatic incident response solutions: a review of proposed solutions’ input and output

Authors:

Henrik Karlzen,

Teodor SommestadAuthors Info & Claims

ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security

Article No.: 37, Pages 1 - 9

https://doi.org/10.1145/3600160.3605066

Published: 29 August 2023 Publication History

All formats PDF

Abstract

Many organizations are exposed to the risk of cyber attacks that penetrate their computer networks. When such cyber attacks occur, e.g. a ransomware outbreak, it is desirable to quickly respond by containing the threat or limit its consequences. Technologies that support this process have been widely used for decades, including antivirus software and deep-packet inspection firewalls. A large number of researches on cyber security have been initiated to automate the incident handling process further, often motivated by the need to respond to more advanced cyber attacks or the increasing cyber risks at stake. This paper reviews the research on automatic incident response solutions published since the year 2000, in order to identify gaps as well as guide further research. The proposed solutions are categorized in terms of the input they use (e.g. intrusion signals) and the output they perform (e.g. reconfiguring a network) using the D3FEND framework. The solutions presented in 45 papers published in the academic literature are analyzed and compared to four commercially available solutions for automatic response. Many of the 45 papers described input and output in vague terms. The most common inputs were from asset inventories, platform monitoring and network traffic analysis. The most common output was network isolation measures, e.g. to reconfigure firewalls. Commercially available solutions focus more on looking for identifiers in reputation systems and individual analyzing files.

References

[1]

Anuar, N.B. 2010. An investigation and survey of response options for Intrusion Response Systems (IRSs). Proceedings of the 2010 Information Security for South Africa Conference, ISSA 2010. (2010).

[2]

Anwar, S. 2017. From intrusion detection to an intrusion response system: Fundamentals, requirements, and future directions. Algorithms. 10, 2 (2017).

[3]

Bashendy, M. 2023. Intrusion response systems for cyber-physical systems: A comprehensive survey. Computers & Security. 124, (Jan. 2023), 102984.

Digital Library

[4]

CACAO Security Playbooks Version 1.0: https://docs.oasis-open.org/cacao/security-playbooks/v1.0/cs01/security-playbooks-v1.0-cs01.html. Accessed: 2023-05-11.

[5]

Erola, A. 2017. RicherPicture: Semi-automated cyber defence using context-aware data analytics. 2017 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA) (Jun. 2017), 1–8.

[6]

Grance, T. 2008. Computer Security Incident Handling Guide (SP 800-61).

[7]

Hughes, K. 2021. Towards intrusion response intel. Proceedings of the 2021 IEEE International Conference on Cyber Security and Resilience, CSR 2021. (2021), 337–342.

[8]

Husák, M. and Cermak, M. 2022. SoK: Applications and Challenges of using Recommender Systems in Cybersecurity Incident Handling and Response. Association for Computing Machinery.

[9]

InsightConnect Workflows: 2023. https://github.com/rapid7/insightconnect-workflows. Accessed: 2023-05-29.

[10]

Islam, C. 2019. An ontology-driven approach to automating the process of integrating security software systems. Proceedings - 2019 IEEE/ACM International Conference on Software and System Processes, ICSSP 2019 (2019), 54–63.

Digital Library

[11]

Kaloroumakis, P.E. and Smith, M.J. 2021. Toward a Knowledge Graph of Cybersecurity Countermeasures. (2021).

[12]

Kholidy, H.A. 2016. A risk mitigation approach for autonomous cloud intrusion response system. Computing. 98, 11 (2016), 1111–1135.

Digital Library

[13]

Kinyua, J. and Awuah, L. 2021. Ai/ml in security orchestration, automation and response: Future research directions. Intelligent Automation and Soft Computing. 28, 2 (2021), 527–545.

[14]

Kitchenham, B. 2004. Procedures for performing systematic reviews. Citeseer.

[15]

Kotenko, I. 2022. Systematic Literature Review of Security Event Correlation Methods. IEEE Access. 10, (2022), 43387–43420.

[16]

Mavroeidis, V. and Brule, J. 2020. A nonproprietary language for the command and control of cyber defenses – OpenC2. Computers and Security. 97, (2020), 101999.

Digital Library

[17]

Microsoft Sentinel and Microsoft 365 Defender: 2023. https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks. Accessed: 2023-05-29.

[18]

Mitropoulos, S. 2006. On Incident Handling and Response: A state-of-the-art approach. Computers & Security. 25, 5 (Jul. 2006), 351–370.

Digital Library

[19]

Navarro, J. A Systematic Survey on Multi-step Attack Detection.

[20]

Petersen, K. 2015. Guidelines for conducting systematic mapping studies in software engineering: An update. Information and Software Technology. 64, (2015), 1–18.

Digital Library

[21]

Phantom Community Playbooks: 2023. https://github.com/phantomcyber/playbooks. Accessed: 2023-05-29.

[22]

Piedrahita, A.F.M. 2017. Leveraging Software-Defined Networking for Incident Response in Industrial Control Systems. IEEE Software. 35, 1 (2017), 44–50.

[23]

Piedrahita, A.F.M. 2018. Virtual incident response functions in control systems. Computer Networks. 135, (2018), 147–159.

Digital Library

[24]

Schlette, D. 2021. A comparative Study on Cyber Threat Intelligence: The Security Incident Response Perspective. IEEE Communications Surveys & Tutorials. c (2021), 1–1.

[25]

Sommestad, T. and Hallberg, J. 2012. Cyber security exercises and competitions as a platform for cyber security experiments.

[26]

ThreatConnect Playbooks: 2023. https://github.com/ThreatConnect-Inc/threatconnect-playbooks/tree/master/playbooks. Accessed: 2023-05-29.

Cited By

Akbari Gurabi MNitz LBregar APopanda JSiemers CMatzutt RMandal A(2024)Requirements for Playbook-Assisted Cyber Incident Response, Reporting and AutomationDigital Threats: Research and Practice10.1145/36888105:3(1-11)Online publication date: 23-Aug-2024
https://dl.acm.org/doi/10.1145/3688810
Hammer AGeus JNicolai FSchütz PFein CFreiling F(2024)Fit for Forensics: Taxonomy and Common Model for Forensic Analysis of Fitness TrackersDigital Threats: Research and Practice10.1145/36872715:3(1-20)Online publication date: 23-Aug-2024
https://dl.acm.org/doi/10.1145/3687271

Index Terms

Automatic incident response solutions: a review of proposed solutions’ input and output
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Intrusion detection systems

Recommendations

Model-Based Incident Response Playbooks
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

Inevitably, all systems are vulnerable, and none are impervious to attack. Incident response is an important element in maintaining the cyber security posture of organizations. Incident response practitioners often rely on process descriptions in the ...
Cybersecurity Incident Response: How to Contain, Eradicate, and Recover from Incidents
On investigating ARP spoofing security solutions

The address resolution protocol (ARP) has proven to work well under regular circumstances, but it was not designed to cope with malicious hosts. By performing ARP spoofing attacks, a malicious host can either impersonate another host [man-in-the-...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security

August 2023

1440 pages

ISBN:9798400707728

DOI:10.1145/3600160

Copyright © 2023 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 August 2023

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2023

ARES 2023: The 18th International Conference on Availability, Reliability and Security

August 29 - September 1, 2023

Benevento, Italy

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
1,005
Total Downloads

Downloads (Last 12 months)827
Downloads (Last 6 weeks)97

Reflects downloads up to 23 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Akbari Gurabi MNitz LBregar APopanda JSiemers CMatzutt RMandal A(2024)Requirements for Playbook-Assisted Cyber Incident Response, Reporting and AutomationDigital Threats: Research and Practice10.1145/36888105:3(1-11)Online publication date: 23-Aug-2024
https://dl.acm.org/doi/10.1145/3688810
Hammer AGeus JNicolai FSchütz PFein CFreiling F(2024)Fit for Forensics: Taxonomy and Common Model for Forensic Analysis of Fitness TrackersDigital Threats: Research and Practice10.1145/36872715:3(1-20)Online publication date: 23-Aug-2024
https://dl.acm.org/doi/10.1145/3687271

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents